Krebs on Security

In-depth security news and investigation

Intuit Failed at ‘Know Your Customer’ Basics

Intuit, the makers of TurboTax, recently introduced several changes to beef up the security of customer accounts following a spike in tax refund fraud at the state and federal level. Unfortunately, those changes don’t go far enough. Here’s a look at some of the missteps that precipitated this mess, and what the company can do differently going forward.

As The Wall Street Journalnoted in a story this week, competitors H&R Block and TaxAct say they haven’t seen a similar surge in fraud this year. Perhaps the bad guys are just picking on the industry leader. But with 29 million customers last year — far more than H&R Block or TaxAct (which each had about seven million) — TurboTax should also be leading the industry in security.

Keep in mind that none of the security steps described below are going to stop fraud alone. But taken together, they do or would provide more robust security for TurboTax accounts, and significantly raise the costs for criminals engaged in this type of fraud.

NO EMAIL VALIDATION

Intuit fails to take basic steps to validate key account information, such as email addresses and mobile numbers, and these failures have limited the company’s ability to enact stricter account security measures. In fact, TurboTax still does not require new users to verify their email address, a basic security precaution that even random Internet forums which don’t collect nearly as much sensitive data require of all new users.

Last month, KrebsOnSecurity featured an in-depth story that stemmed from information provided by two former Intuit security employees who accused the company of making millions of dollars knowingly processing tax refund requests filed by cybercriminals. Those individuals shared a great deal about Intuit’s internal discussions on how best to handle a spike in account takeovers and fraudsters using stolen personal information to file tax refund requests on unwitting consumers.

Both whistleblowers said the lack of email verification routinely led to bizarre scenarios in which customers would complain of seeing other peoples’ tax data in their accounts. These were customers who’d forgotten their passwords and entered their email address at the site to receive a password reset link, only to find their email address tied to multiple identities that belonged to other victims of stolen identity refund fraud.

In mid-February, Intuit announced that it would begin the process of prompting all users to validate their accounts, either by validating their email address, answering a set of knowledge-based authentication questions, or entering a code sent to their mobile phone.

In an interview today, Intuit’s leadership sidestepped questions about why the company still does not validate email addresses. But TurboTax Chief Information Security Officer Indu Kodukula did say TurboTax will no longer display multiple profiles tied to a single email address when users attempt to reset their passwords by supplying an email address.

“We had an option where when you entered an email address, we’d show you a list of user IDs that were associated with that address,” Kodukula said. “We’ve removed that option, so now if you try to do password recovery, you have to go back to the email associated with you.”

NO PHONE VALIDATION

As previously stated, TurboTax doesn’t require users to enter a valid mobile phone number, so multi-factor authentication will not be available for many new and existing customers. More importantly, in failing to require customers to supply mobile numbers, Intuit is passing up a major tool to combat fraud and account takeovers.

Verifying customers by sending a one-time code to their mobile that they then have to enter into the Web site before their account is created can dramatically drive up the costs for fraudsters. I’ve written several stories on academic research that looked at the market for bulk-created online accounts sought after by spammers, such as free Webmail and Twitter accounts. That research showed that bulk-created accounts at services which required phone verification were far more expensive than accounts at providers that lacked this requirement.

True, fraudsters can outsource this account validation process to freelancers, but there is no denying that it increases the cost of creating new accounts because scammers must have a unique mobile number for every account they create. TurboTax should require all users to supply a working mobile phone number.

NO NOTICE OF ACCOUNT CHANGES

Until very recently, if hackers broke into your TurboTax account and made important changes, you might never know about it until you went to file your return and received a notification that someone had already filed them for you. This allowed fraudsters who had hijacked an account to wait until the legitimate user had filled out their personal data, and then change the bank account to which the refund would be credited.

On Feb. 26, 2015, Intuit said it would begin notifying customers via email if any user profile data is altered, including the account password, email address, security question, login name, phone number, name or address.

NO ‘KNOW YOUR CUSTOMER’ VALIDATION

According to the interviews with Intuit’s former security employees, much of the tax refund fraud being perpetrated through TurboTax stems from a basic weakness: The company does not require new customers to do anything to prove their identity before signing up for a TurboTax account. During the account sign-up, you’re whoever you want to be. There is no identity proofing, such as a requirement to answer so-called “out-of-wallet” or “knowledge-based authentication” questions.

Out-of-wallet questions are hardly an insurmountable hurdle for fraudsters. Indeed, some of the major providers of these challenges have beentargeted by underground identity theft services. But these questions do complicate things for fraudsters. Intuit should take a cue from credit score and credit file montitoring service creditkarma.com, which asks a series of these questions before allowing users to create an account. And, unlike turbotax.com — which will happily let multiple users create accounts with the same Social Security number and other information — creditkarma.com blocks this activity.

Kodukula said Intuit is considering requiring out of wallet questions at account signup. This is good news, because as I noted in last month’s story, Intuit’s anti-fraud efforts have been tempered by a focus on zero tolerance for “false positives” — the problem of incorrectly flagging a legitimate customer refund request as suspicious. Given that focus, Intuit should do everything it can to prevent fraudsters from signing up with its service in the first place.

LAX ACCOUNT RECOVERY TOOLS

In an interview with KrebsOnSecurity last month, Kodukula said a recent spike in tax refund fraud at the state level was due in part to an increase in account takeovers. Kodukula said a big part of that increase stemmed the tendency for people to re-use passwords across multiple sites. “This technique works because a fair percentage of users re-use passwords at multiple sites,” I wrote in that article. “When a breach at one site exposes the email addresses and passwords of its users, fraudsters will invariably try the stolen account credentials at other sites, knowing that a small percentage of them will work.”

But according to the whistleblowers, Intuit has historically made it quite easy for fraudsters to hijack accounts by abusing TurboTax’s procedures for helping customers recover access to accounts when they forgot their account password and the email address used to register the account. Users who forget both of these things are prompted to supply their name, address, date of birth, Social Security number and ZIP code, information that is not terribly difficult to obtain cheaply from multiple ID theft services in the cybercrime underground.

In fact, the whistleblowers related a story about how they sought to raise awareness of the problem internally at Intuit by using TurboTax’s account recovery tools to hijack the TurboTax account of the company’s CEO Brad Smith.

Kokudula said that pursuant to changes made in the last two weeks, users who try to recover their passwords will now need to successfully answer a series of out-of-wallet questions to to complete that process.

UNLINKED STATE RETURNS

As I wrote last month, a big reason why the spike in tax refund fraud disproportionately affected TurboTax is that until very recently, TurboTax was the only major do-it-yourself online tax prep company that allowed so-called “unlinked” state tax filings.

States allow unlinked returns because most taxpayers owe taxes at the federal level but are due refunds from their state. Thus, unlinked returns allow taxpayers who owe money to the IRS to pay some or all of that off with state refund money.

Unlinked returns typically have made up a very small chunk of Intuit’s overall returns, Intuit’s Kodukula explained. However, so far in this year’s tax filing season, Intuit has seen between three and 37-fold increases in unlinked, state-only returns. Convinced that most of those requests are fraudulent, the company now blocks users from filing unlinked returns via TurboTax. According to The Wall Street Journal, neither TaxAct nor H&R Block allowed users to file unlinked returns.

This entry was posted on Thursday, March 5th, 2015 at 12:06 pm and is filed under Other, Tax Refund Fraud.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

135 comments

I am a faithful TurboTax customer for lo these four or five years. I am appalled at their incredulous disdain for the security of their customers. In another story on this, they were quoted as saying that the IRS was responsible for verifying filer identity. What? I am considering replacing my loyalties.

I think what people don’t understand is that, this fraud has nothing to do with Turbo Tax imo. Focusing on them only helps their competitors, not the tax payer.

Even with all these measures, all you are doing is being notified when fraud occurs. As a customer in the other BK thread has said, even after notifying the IRS a day after a fraudulent return was filed. The IRS still mailed the refund check, to god knows where, 9 days later!!!!

Also, if you leave TT and go to another company, what are their security practices? Thats what I’m curious about. What does H&R or these other companies do differently? Without the regulations in place by law, we aren’t really helping the general population without them.

I’m not sure if you are a paid Intuit shill or just slow. I’m going to assume it’s the latter, although your ridiculous posts point to the former.

What you seem to miss is that Intuit absolutely knew transactions were fraudulent, had the ability to stop the fraud, and in fact did, but once they realized the fraud was going to competitors, they rolled back the protections.

Not only does that make them an accessory to fraud, more to the point, it shows a willingness to put profits ahead of their users.

You say it gives their competitors an advantage if they clamp down on fraud. Not only is that Intuit’s main talking point, it ignores the reality that TurboTax shutting out fraudsters from the largest tax portal in the world most definitely has an impact. So the fraud goes elsewhere – good! I can’t think of any other industry where getting rid of fraudulent customers is considered a bad thing. Sure their competitors might gain an advantage – but it would be, and I’m gonna spell this out for you because you seem to be missing it – FROM FRAUD. Let’s not even go into the minor details, like how knowingly booking fraud is a violation of GAAP, it’s also a **** felony.

So sure, the fraudsters move on to a competitor. At least Intuit is not facilitating fraud. It also gives Intuit a clear competitive advantage when it comes to lobbying congress, marketing, fiduciary duty to shareholders and customers, etc etc. To say that Intuit cracking down on fraud does nothing to address the fraud problem is disingenuous. Removing available resources from their bag of tricks is most definitely a needed step in reducing fraud.

Intuit’s main argument seems to be this whole “fraud is like a balloon; if we squeeze it, it just goes elsewhere in the balloon.” Sure, but you know how to pop that fraud balloon? You squeeze it from increasing points until it has nowhere to go – then POP! If Intuit won’t take that first step, especially when they can (and have done so successfully), then they are knowingly enabling fraudsters. As much as you continue to give Intuit a blowjob and blame it entirely on the fraudsters, all you are doing is revealing yourself as breathtakingly stupid.

BTW, another story dropped today – I suggest you read it. Don’t worry, there are no big words in it:

Stopping fraud should give a tax preparation company a competitive advantage in attracting customers, too. I’d rather deal with a company that tries to prevent my tax information from being used fraudulently than with one that does not.

On the same conference call, MacDougall can be heard asking [Intuit’s General
Counsel Michael Lyons] Lyons why the company wouldn’t want to use security as a way to set the company apart from its competitors in the online tax preparation industry.

“We don’t use security as a marketing tactic for Intuit,” Lyons explained. “We declared that this was one of our principles. It is always possible for Intuit to build a better mousetrap. But because it doesn’t solve the systemic problem of bad guys doing this, all it really does is shoot us in the foot and make it slightly easier for IRS to continue to kick the can down the road. What it does do is artificially harm our numbers and artificially inflate the competitive numbers associated with digital tax returns.”

“If any one company, ours or any other company, decided to take a whole bunch of actions that would 100 percent determine that every single one of their customers was exactly who they said they were, that would not stop fraud in the industry,” said David Williams, Intuit’s chief tax officer. “It would just push the fraud around. It would squeeze the balloon.”

First of all, they can’t 100% determine someone is a fraud. The proof Lee said was “100 returns per account” which still is not 100% proof, if even truly possible. And they don’t stop anything, they flag an account as suspicious and its still up to the IRS to stop it or not.

I’m not upset at the advantage other competitors will have, I’m upset at the fact that without regulations, Focusing on TT is not going to help the taxpayers, at all. Not one bit.

I don’t work for intuit, but I do find some of you focusing on them instead of the IRS, SUSPECT.

“I’m upset at the fact that without regulations, Focusing on TT is not going to help the taxpayers, at all. Not one bit.”

I’d be interested to hear the “logic” behind that statement. Turbo Tax is the market leader in tax preparation. By beefing up their security, and (finally) addressing fraudulent returns processed through their system, they are going to be helping the majority of taxpayers who use computer-based tax prep software.

Exposure of Intuits “soft on fraud” stance is also going to be a wake-up call to other tax preparation companies, and the IRS, that consumers are very concerned about this problem. Tax fraud doesn’t just hurt the person whose information was abused, it hurts every one of us by stealing from the federal treasury.

It’s likely that none of Intuit’s policy changes listed in this article would have happened without a public shaming courtesy of Brian Krebs, which is a really sad reflection of Intuit’s corporate ethics. Just because you can get away with something, doesn’t make it right, nor should it be excused.

The “logic” behind this statement, Is that these victims of tax fraud, that used intuit, would STILL be victims of tax fraud, even if TT didn’t exist.

These victims social security numbers were not stolen from intuit servers. They were probably stolen off of peoples own personal computers, or attained elsewhere. And fraudsters are simply using TT for the same reasons everyone else does. Its user friendly.

So intuit is correct in saying, this won’t help the taxpayers or these victims at all. Fraudsters will just either use another service or file with snail mail.

The root of the problem is the IRS sends a refund check to any address. Period.

1. Making it more difficult to commit fraud will result in less fraud. Now that is logical.
2. Addresses are one problem, but it has been reported widely that 75% of taxpayers get their refund via credit/debit card or direct deposit, no mail required.

“Whats cracking me up is the fraud victims who had their socials and passwords stolen, were not stolen from TT’s data. And even if the company didn’t exist at all, it wouldn’t stop the fraudulent returns. Doesn’t this point to a bigger problem that exists?”

Many of these victims had their SSNs stolen from Intuit in the case of ATO. Intuit’s account recovery system was really weak up until recently, which is likely what enabled the increase in ATO this season.

In past seasons, the lack of MFA allowed for list-validation attack driven ATO.

I disagree, I think the main complaint is NEW accounts opened up with a social that the crook already attained elsewhere. Thats even the majority of complaints on this very blog from their customers.

And yes of course I agree TT should have two factor authentication. Although secret answers to questions are sold in bulk on the dark web just as much as passwords, according to BK articles.

I think the real solution is for the IRS to stop accepting returns filed from any address or any account. And to stop sending refund checks or debits to any address or any account. Isn’t this common sense regulation?

Thats the real priority, not focusing on single companies or easily bypassed measures, that will only cost certain companies or crooks more money, which at the same time, also doesn’t help the taxpayers or victims.

Actually in my case , my SSN was stolen from Anthem and the bad guys used my info to create a TurboTax account . Where TT fell over is there was already an account (mine) with that SSN , they should of never let 2 accounts have the same SSN .

Great insights as usual, however, not everyone has a mobile phone number or can be reached by mobile….in my case I get Canadian signals overriding my ability to use my mobile, despite all the hype of all the mobile phone carriers we still have dead zones on the island…Whidbey…

Good point Leo. I don’t own a cellphone but my bank gets around that by still offering me 2 factor authorization by giving me an 8 digit # by my choice of a phone call to my landline phone on their records or to my e-mail address. I’m glad they give me these additional choices besides just the choice of a cellphone.

secret questions: the answers to these give the crimanal from Russia/China the ability to go around your password. This is why i treat the answers to secret questions as additional passwords and assign a random password to the answers.

I’ve never understood why America doesn’t have “Pay As You Earn” tax, like other countries do. In Australia, we typically receive a refund at the Federal level, and there are no State taxes as such, hence there is no concept of a linked tax system. I have no idea whether there is any fraud occurring, apart from the usual evasion tricks.

America’s “pay as you earn” system is called “income tax withholding.” It means part of employees’ paychecks are sent to the tax agencies to prepay their tax. Self-employed people are supposed to make quarterly payments on their own.

When the income tax return is filed, the tax is calculated for the entire year. Then any tax prepaid by withholding or quarterlies is subtracted. Balances due or refunds are expected to result.

Employees can, within limits, adjust their withholding at will (IRS Form W4.)

And, the Form W2 that reports income and withholding goes first to the Social Security Administration pension-and-health system, then to the IRS tax agency. If the W2 forms are efiled, and the no-questions-asked 30-day extension is obtained, the due date is April 30. The unextended due date for tax returns is April 15. So the IRS can easily have no way to verify the amount of withholding a taxpayer claims at the time of filing.

I have seen mentions of moving up the due date for W2 forms to January 31, the date they’re due to employees. That would stress out people who work on payroll, but give the IRS a better chance at verifying W2 forms.

TurboTax is putting your returns at special risk this year, even if you try to do your taxes offline and never touch the Internet. How? They have disabled offline printing. Now, to print your return at home, you must to be online and send them your data. No exceptions. The 2014 Intuit License Agreement confirms “You may save your return as a PDF file (and print) and understand it may be processed on Intuit servers, not as part of the Software” (bold italics mine). Is this necessary?

In the wake of the incessant hacking of TurboTax accounts, should we perhaps be trying to keep our data off the Internet? After all, how do you stop thieves who have your birth dates, social security numbers, billing addresses, bank names, investment account data, from stealing you blind?

I have always tried to protect my personal data. I keep all my login and passwords on a separate computer, which has never been online. I keep all my tax return data files on a separate hard drive, which has never been exposed to the Internet. But TurboTax this year is killing me! They want my data.

I wrote personal letters to the CEO asking for help. I appealed to customer service. Nothing. Approached the FTC. Nothing. Wrote to Senators. Nothing. Wrote to journalists. Several blog posts. No one really seems to care about identity theft or data security.

I don’t want to connect to Intuit. I don’t want to turn my Internet on. I just want to print a tax form from the CD on my trusty printer like last year. Intuit admits this change, but blames it on third party software. If so, why can I print tax regulations and tips from the program? I am willing to bet that Intuit CEO Brad Smith does not do his taxes on Turbotax. But you are unwittingly sending him your own data.

“The 2014 Intuit License Agreement confirms “You may save your return as a PDF file (and print) and understand it may be processed on Intuit servers, not as part of the Software” (bold italics mine). Is this necessary?”

Yep, even a locally stored return on a local copy of Turbotax needs to connect to the “Intuit Secure Printing Service” (what a misnomer). No net access, no printing. Last year, at least, you could “offline print.” (Based on TT for the Mac.)

From what I’ve seen, this is so Intuit can data mine the return. I’ve had it with them; this is the last year that I’m going to use their product.

I am fairly certain I was Not connected to the internet when I printed to pdf and then printed the pdf on my printer from TurboTax Deluxe. So at this point, I have to say are you sure you can’t print without being connected to the internet ?

I did just notice in task manager that intuit update service was running even though I had turned it off twice. That means they have it running ALL YEAR LONG. Golly.

These fraudsters use it for the same reasons, that everybody else does. Their servers were not hacked. Don’t hate on intuit just because there website is easier to use and H&R Block only has 7 million compared to TT’s 30 million users lol

Requiring a mobile number isn’t as simple as it seems. I think Brian means requiring “a” phone number, not necessarily mobile.

Many of us are still living happily without mobile options. Before anyone snidely refers to such people as needing to catch up to the 21st century, bear in mind that they also avoid a slew of problems that come with the 24/7 access/connectedness of mobile. They avoided all kinds of corporate spyware & privacy worries. The case Brian is making would work fine with a land line. Access codes don’t need to be transmitted via SMS. There are other ways.

Requiring people to pay taxes using a certain currency was the way that the use of new currencies were enforced in the past. “Requiring” a mobile phone in order to pay one’s taxes would lead to your mobile phone being your new SSN; and the SSN was NOT supposed to be used as a form of ID when it was introduced. Two-factor authentication does not always need to be a mobile phone.

Thanks Brian! This story has helped me make that final decision to leave TurboTax. I have used their products for many years and I have a really clear picture that this company is more interested in profits from fraudulent activity than they are in protecting us. The pushback from them is alarming and so I leave them but will keep an account to somehow monitor whether these crooks will somehow allow other crooks to access my information. Never again will I use or recommend anything Intuit. I will also be sure to warn everyone I can about the serious dangers of doing business with such a disreputable company. Thanks again for keeping us informed!

I figure one reason they want peoples’ tax return information in their servers is for bug-finding. With large amounts of data in their databases they can import that data into their software while debuggers are monitoring the programs. Real-world data, as well as errors in data entry by their customers, helps the programmers ferret out bugs.

Their unwillingness to require their users to authenticate themselves, and their poor handling of user accounts, causes me to think the orginal account-creation, -access, and -maintenance interfaces have been slapped together over the years, and the CEO etc do not want to revise any of that software.

How much is that CEO getting paid ?
How much are the corporation’s lawyers getting paid ?

Why do you feel intuit systems are more likely to be hacked more then any other server that has your social?

Whats cracking me up is the fraud victims who had their socials and passwords stolen, were not stolen from TT’s data. And even if the company didn’t exist at all, it wouldn’t stop the fraudulent returns. Doesn’t this point to a bigger problem that exists?

You seem obsessed with thinking the rest of us think TurboTax is being hacked.

You don’t understand what is going on. Criminals are using the TurboTax website/servers to commit identity fraud, and the TurboTax powers-that-be are refusing to make changes that would reduce how easy it is for the criminals to commit that fraud.

Once someone has provided TurboTax with their identification, especially their Social Security Number, the corporation has a fiduciary responsibility to protect that person’s account and information from access by other people.

Our argument is TurboTax has a responsibility to prevent criminals from using other people’s identification to file false tax returns.

Actually they did make changes, which is what BK’s article states. But their point, that it won’t stop any of the fraud, is not incorrect. Because as they said, fraudsters will just another service, or file with snail mail.

What you really should be concerned with, is how did someone get your social, and why does the IRS send a refund check to anyone.

I go to my CPA and he electronically files. Got my refund check faster than I ever have, a matter of days! I pay pretty good for having him prepare and file but so far not anxious like Turbo Tax customers. In time I suppose if not already I could have a problem.

Meanwhile, our Anthem accounts may or may not have been hacked. We have yet to recieve a letter telling us so from Anthem as they promised. Doesn’t matter, we put a freeze on our credit for $5. Who needs the worry?

All parties involved have repeatedly stated that Intuit professional software is NOT affected, since only tax pros can create accounts OR returns there. Pro tax software is simply NOT conducive to this type of fraud.

Since the issue is not about data being stolen from internet servers, and the issue seems to be proving ones identity to make an account, ironically for people who are having their identity stolen….. let me ask you this.

What is needed to open an “account” with the IRS? Because even if TT didnt’ exist, the victims of these frauds, would STILL be victims of this fraud.

I think your overestimating how many less victims there will be. IMO, it will not even be noticed. Tax fraud is not new, the only new thing here is how many are using TT now.

Forgetting the fact a crook could just use another service, like H&R BLock hahaha…..All a crook has to do is hire a secretary. and buy reams of paper. How much longer do you think it will take? 3 days in the mail, depending on how he mails it? The IRS sends refund checks in bulk to random addresses. Do you think they care when they get bulk returns in?

Similar to how talk and a focus like this will only cost TT money and not help the taxpayers. This will also only cost crooks lots of money, and not help victims at all….at all!

I can imagine before TT, crooks just hired someone to print out a bunch of returns and bring them to the post office or UPS. So maybe yes, some lucky, would-be victims, will have filed in the time it was in the mail, lets get generous and say a week. I don’t think the number would be that significant at all. Majority of victims would still be victims.

And still they are only tool, to use information from customers already compromised. It wasn’t their system that was breached.

But without regulations in place, who is to say what other companies are doing? INTUIT is still only doing this voluntarily. I think that’s the major point people are missing. Focusing on TT and not the IRS is only helping their competitors, not the tax payer.

Reminds me of how Snowden has Americans focusing on the possibility the NSA might be spying on them, instead of the more likely FBI or Secret Service, or Russian Hacker. Which is more the interest of foreigners, rather Americans. Its not really helping, its distracting for the real problems.

CooloutAC, thank you for all your posts in this thread defending Intuit in the most ridiculous ways. No one ignores the points of the original thread so flippantly and stays so hyper-focused on a few talking points except a professional public relations employee. Whether you work for Intuit directly or through a third party, your posts tell me everything I need to know about the company you defend here. They care only about public image and profit. Everything else is less important. The blame the customer mentality is weak. I have been a TurboTax customer in the past. Your posts have shown me the light. I will no longer use any software produced by Intuit. I have just printed out paper forms from IRS.gov and will fill those out and send them in directly. Congratulations on a job well done!

If companies like intuit didn’t exist, these same people who have been victims of fraud, would STILL have been victims of fraud, with crooks simply using the paper returns you prefer now. Thats the whole point!

nice retort. Did you think people couldn’t do business before the internet, with paper only? Hahaha, and I’m the idiot? It will only cost the crooks more money. But these current victims, will still be victims. There wouldn’t be any less victims, sorry to all who believe that.

On an unrelated topic, the guys who just proved how to hack a car on 60 minutes, including overriding the brakes, practice something called pervasive formal verification, I think its called. Which in laymen terms means, The guy who use to work at NASA, explained its instead of using tools to find bugs in software, they can prove certain software is perfect using algorithms. Its over my head, but they said until recently computer processors were not powerful enough to do this, and they still had to use pencil and paper….lol

This is yet another manifestation of Intuit’s utter disdain for its own customers. It follows on the heels of them stripping functionality from versions of Turbo Tax, forcing customers to upgrade, and pay more, for the same functionality. They ultimately relented, but only after a huge customer backlash. They also routinely cripple functionality in Quicken, forcing customers to buy the latest version to continue basic things like online stock quotes. This arrogance is caused by their market dominance in both tax and financial management software.

Why a phone at all? Safest correspondence I’ve received gives an email address that must be pasted into your browser (no clicking on the link) and then a separate code that needs to be entered once communication with the website has been established. A new email address and code should be used every time for access. Most companies are much too lazy when it comes to decent security.

If the fraudsters have already gotten your username/password to your account (which is how they usually gain access) there is usually a very high instance where that same password is used by users to access their email (reusing passwords is a well known problem). Thus, email could very often be intercepted by the hackers, which is why non-email as a secondary method of validation is preferred.

You don’t want that. Spoofing numbers using VoIP is easy and common in the US as most carriers don’t verify the caller number is real. Because VM can often be listed too without a PIN if you are calling from your own number, you are toast.

Allowing non-mobile would hurt security for all thso emobile users. Various companies (e.g. Google, LinkedIn) have moved away from land-based VM. Theer are techniques that make land-based second factor safe again like forcing live calls with a robit instead of VM, but these are more complicated and I cannot blame a company from not going that route.

So sorry, just get a $20 prepaid, file the old way using paper or just walk into a HR Block office. I don’t mean that harsh, but in 2015 the world doens’t need to hold itself back for people who are unwilling to get a $20 prepaid. Those people have plenty of other options.

True, I think most companies use texting, because maybe its cheaper and easier to implement. Plus easier to keep a record of.

But a company like TT, who supposedly, I guess like the IRS, is more concerned about making it easy for people to get their returns above all, should also use voip for those who don’t have texting or a cellphone.

“Sure, but you’re talking about spoofing the caller’s number, not the recipient’s number. The first is trivial. The second isn’t”

Yes, but to get the PIN from a VM, you only need the first … After all that is where the VM is. So the crook calls the phone company spoofing your number, and hence gets into your VM. Often without security as many telecom companies disable those when calling from your ‘own’ number.

This is not theory, this is already done! It prompted e.g. LinkedIn to disable VM PIN as it was a real actively used attack.

Some companies now force live responses like pressing a button, so one actively needs to pick up and won’t leave PIN’s on VM’s but that is more complicated to implement. I doubt the user-base (no mobile, but wants to do online taxes) is large enough to warant the investment. And most of them probably budge and get a $20 prepaid.

I have been using the CD version of Turbo Tax for about 4 years without any problems. This year someone filed a 1040A in December 2014 using my ID but with the wrong spouse information. I filed 2014 state tax forms and received a refund. Can I blame Turbo Tax? I don’t think I can because I used the CD and they had the wrong spouse information and we filed jointly.

The credit website quizzle.com was this way for a long time where someone could pretty much obtain a credit report on someone by obtaining basic knowledgeable (out of pocket ) information on a person who they where trying to target. They did not offer 2FA , email validation or validate by using the last four digits of a persons social security number. If you had enough information about a person, you could basically obtain credit information on anyone just knowing basic things like a person’s address and also the out of pocket information .

“Part of the power of Quizzle® is our external partners. By teaming up with folks who are the best at what they do, we can better serve your needs, bring you greater value and offer stronger expertise.”

Hi Brian –
For the reasons you’ve listed in your reports about TurboTax, I didn’t use them this year, the first time since 1996.

I just went to their site to try a “password recovery”.

They responded to my email address with ELEVEN User IDs linked to that email address. When I went to the ‘change password’ page, they asked ONE ‘out of wallet’ question, the answer for which was easily available.

Serious question, no judgement: Could it be those 11 are actually yours from previous years, and the system just creates a new ID every time you filed using their software if one does not *explicitly* reuse a previous year ID?

Else I’d assume you’d already be a victim of ID theft? I mean why would an thief use your email?

Are TurboTax security policies lacking… Yes. Do they need to be addressed… Yes. But that’s not the cause. I’d like to get to the crux of the issue, payments. Payments to prepaid debit cards should be ceased, period. I know that a segment of the population would be upset if this payment option was stopped, but it exposes too much risk. They’re getting the funds via an untraceable delivery mechanism. If it wasn’t TurboTax (or any of the electronic providers), they’d prepare and submit them manually. If I’m not mistaken, it’s a pain but you can get a falsely filed return fixed. Is the government recovering ANY of the funds being paid? We need to fix the real problem. Take away the cash and the problem will be drastically reduced.

When I got my State tax account before I could use it I had to answer specific questions about the numbers on lines that were entered on past years tax returns. It seems since Turbo has this info in prior submissions they could do the same security check. Even if they don’t keep the data they could set something up to allow them access to correct the answers from the IRS since they are submitting returns. This whole thing has gotten out of hand and all concerned, companies like Turbo-tax and the IRS are not doing enough to prevent it. Its absurd that the IRS is tolerating this abuse.

I think Intuit has been designing their products for the mobile market. Their home finance product, Quicken now requires that you enter your bank account\password into their online password vault so you will not have to enter those credentials again. I assume they are storing that information in their cloud. There are many user’s complaints\questions\security concerns over this on the Quicken forum. Intuit seems to be making bad business decisions. I didn’t buy TurboTax Deluxe this year because they moved many of their forms to the Business edition. Consumers have been complaining about this, too.

You’re absolutely right. As the leader in online tax prep, in this current environment, we have a special responsibility towards driving the best security there is to protect taxpayer information.

Regulations like “know your customer” that have been successfully adopted in the financial services industry can and should be adapted to our industry as well. It’s on our roadmap. Our challenge is figuring how to do it based on the specific behavior of tax payers — people don’t pay taxes as often as they visit their bank.

This is a challenge facing all players in the tax prep industry. And we’re going to take the lead on driving adoption.

Nat, sounds to me from what I’ve read, and what senior executives were caught on tape saying, you guys *already had* this issue tackled a few years ago, but rolled back those protections to boost your bottom line.

How was it you guys stopped fraud back then, but now you need a roadmap to do it again? This is clearly yet another punt. If I hear you guys yap about how it’s an industry problem again, I’m going to retch. How about you guys man up, strap on a set of balls, take your punishment and then do the right thing.

Sounds to me you guys should hire back the two security engineers and let them fix things – again. Just this time don’t let the company choose fraud over its customers.

No one would be talking about this if Intuit hadn’t had so many fraudulent tax returns. The fact that they don’t even listen to their own security people is appalling. Customers need to know they can trust you with their personal information. Intuit has shown that they believe in profits and convenience over user security. They act as if end users are to blame for all the fraudulent activity. “No breaches on our side. Not our fault.”

Intuit needs to fast track their roadmap. I’ve heard vendors say “it’s on the roadmap” and it took years for them to implement.

Here are some other security issues that Intuit should also address.

1) After authenticating there needs to be a date and time of a user’s last login as well as ip address (and geo-location) that was used. This would help customers find out if someone else logged into their account. Also a history of the previous 5 logins would minimize compromised accounts.

2) True multifactor authentication using either a phone number or soft-token. Not email.

4) Stop sending out email advertisements to users with their usernames. No other company I’ve received emails from sends me my username. This is a security issue as hackers with compromised email accounts will only need to issue a password reset. They don’t need to go through the “forgot my username” process on intuit’s site. Most users don’t delete emails. They just archive them.

5) Allow users to delete their accounts. I know there is a law that says tax preparers need to keep returns available for 7 years, but these returns can be archived on a server that’s offline and not connected to the internet. A customer has a right to delete their account.
Don’t make it tempting for hackers to try to breach inactive user accounts. (Reduce the attack surface)

6) Verify geo-location from ip addresses for authenticating users. If a user lives in NY, but logs in from China, well shouldn’t that be a red flag?

If you don’t have a user account with intuit, then there isn’t any account for an attacker/fraudster to take over. You’re clear from that danger.

You’ve already filed this year, so in that respect, you are clear for this year.

The biggest danger you have going forward is keeping your personally identifiable information (SSN, date of birth, zip code, etc) private. If that data becomes compromised (your HR at work, a health provider compromise, someone going through your trash, etc), then someone could use this information to steal your identity in the future.

Should still be upset with Intuit for both their incompetence, and their criminal enablement of fraudsters.

“If you don’t have a user account with intuit” .
I had to create an online account with Intuit to use Quicken, not TurboTax. An Intuit account is required to download your bank statements. So, I suppose I am at risk now.

Only if the data associated with your Intuit account is sensitive. If you’ve not shared your SSN with Intuit, when a hacker takes over your account, they can not get your SSN from Intuit — can only see the data that is associated with your account.

I would suggest not creating an account with any of these companies. You can use the tax software offline without registering it. Keep your own digital tax records and returns, and neither TT or Block or anyone will have that information available on some internet accessible account.

I don’t own a cellphone but my bank gets around that by still offering me 2 factor authorization by giving me an 8 digit # by my choice of a phone call to my landline phone on their records or to my e-mail address. I’m glad they give me these additional choices besides just the choice of a cellphone.
I have used TaxAct since 2004 and find the software does an excellent job in preparing my taxes and protecting my identity. I also appreciate all the information from Brian that allows me to keep myself better protected from all the cyberthieves from Russia, China, and much of Eastern Europe (ex Soviet Union countries) where much of this thievery originates.

Dave: the US does have that – taxes are deducted at source from employee pay checks. But there are still millions of freelances, self-employed, and people who run part-time businesses on the side, and even ordinary employees file returns because various allowances mean they’re owed refunds.

Years ago, I used Turbo Tax twice. They installed so many junk links on desktop that I complained in their “how can we improve” comment section. The next year brought more junk. A company that is routinely evil to a paying customer doesn’t have me for a customer. Starting to look like I made a good decision.

I’ve been thinking about all the articles we’ve see here and other places over the years about various Intuit products, and I’m not just talking about those concerning security issues, but also screw the customer issues. Somewhat tongue-in-cheek, I have to wonder if Larry Ellison, the co-founder and former CEO of Oracle, isn’t secretly in charge of Intuit. It would explain a lot of things Intuit has done.

I’ve not used Turbo Tax before. However, I’ve used Quicken for many years and still do. It works. BASICALLY.

But Quicken also has a number of little glitches and is missing what I’ve come to regard as essential features. But these issues are not addressed as Intuit pushes out a version each year.

My feeling is that Intuit is fat, happy, and lax with all the money coming in. The corporate culture at Intuit is focused on sales. Not customer service. Apparently the top management doesn’t realize that forgetting to take care of customers can spell the end of a wonderful run of business…